Question:


How can secure LDAP access be enabled on the Portal?

When enabling Active directory over SSL and changing the corresponding port to 636 an error is received that the connection has failed (failed to connect to).

Answer:

In some cases you have to verify connectivity and valid certificates are introduced into the Appliance with the steps below.

Steps:

NOTE: Replace any "nxtsvr001dc.nxtsuplab.loc" or "nxtsvr001dc" with the corresponding AD server for this procedure.

 

Verify connectivity to the DC on the LDAPS port from the portal CLI:

nc -vz -w 1 nxtsvr001dc.nxtsuplab.loc 636
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.1.201:636.
Ncat: 0 bytes sent, 0 bytes received in 0.02 seconds.
CODE

Pull the AD server certificate and verify there is one present in the section -BEGIN CERTIFICATE- and -END CERTIFICATE

openssl s_client -host nxtsvr001dc.nxtsuplab.loc -port 636 -prexit -showcerts
CODE

If so, export it to a file named ADserver.pem

echo | openssl s_client -connect nxtsvr001dc.nxtsuplab.loc:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >ADserver.pem
CODE

If not, then please follow up with the administrator of the AD server

NOTE: if there are multiple certificates (rootCA and intermediates) presented in the first command you may need to also import these in the Java keystore. See the end of this doc on how to export them from the LDAPS server.

Verify the information in the certificate is valid.

openssl x509 -text -in ADserver.pem
CODE

Stop the portal:

sudo systemctl stop nxportal
CODE

Import the ADserver certificate into the keystore.

NOTE: Change the alias to something else which corresponds to your environment.

sudo sh /var/nexthink/portal/security/import_certificate.sh -alias nxtsvr001dc -file /home/nexthink/ADserver.pem -storepass changeit
CODE

Sample output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Nexthink Certificate import script version 08.06.rev001 ::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Owner: CN=NXTSVR001DC.nxtsuplab.loc
Issuer: CN=NXTSVR001DC.nxtsuplab.loc
Serial number: 53a0747786ba12b442f61c3580ef6383
Valid from: Tue Oct 22 11:27:29 CEST 2019 until: Thu Oct 22 02:00:00 CEST 2020

Certificate fingerprints:

         MD5:  55:91:28:A7:4B:16:5D:B3:DA:C6:1D:3B:1B:1C:5F:C5
         SHA1: 13:CC:9D:39:51:93:DA:CF:73:AD:F4:15:DA:3E:DD:7E:70:53:97:23
         SHA256: 3D:2F:B1:05:B5:47:68:16:AE:50:0A:95:7A:B7:30:17:23:B0:9B:4E:13:1A:5C:CC:C9:15:F2:CB:5B:FF:D9:BE

Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [
  serverAuth
]

#2: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [
  Key_Encipherment
  Data_Encipherment
]

Trust this certificate? [no]:  yes

Certificate was added to keystore
CODE

Start the portal:

sudo systemctl start nxportal
CODE

Go back to the portal’s webconsole and test your connection on port 636

To export all the certificates from the LDAPS service, the following example can be used:

Get the chain up to 5 levels.

Note: Replace YOURLDAPS_SERVER for the FQDN of your LDAPS server

openssl s_client -showcerts -verify 5 -connect YOURLDAPS_SERVER:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'
CODE

Rename to their CN Field name:

for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done
CODE

This should get all certificates and convert them for import later in the Java keystore.